Description
Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Published: 2026-03-19
Score: 2.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper authorization, allowing privileged users to view the first 40 characters of post edits in private messages and private categories. This exposes previously hidden content to users who should not have access, potentially revealing sensitive or confidential information. The weakness is a classic example of lack of proper access control errors.

Affected Systems

The affected product is Discourse, the open‑source discussion platform. Versions prior to 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2 are vulnerable. The patch was included in those releases and later ones. Updating to at least 2026.3.0‑latest.1 resolves the issue.

Risk and Exploitability

The CVSS score of 2.2 indicates a low severity impact, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. It is inferred that an attacker would need only to interact with private categories or private messages and could expose edit details simply by accessing the platform, making exploitation straightforward but unlikely to be actively targeted.

Generated by OpenCVE AI on March 24, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch included in Discourse releases 2026.3.0‑latest.1, 2026.2.1, and 2026.1.2.
  • Upgrade your Discourse deployment to at least version 2026.3.0‑latest.1.
  • Regularly check Discourse’s security advisories for any new patches and keep the platform up to date.

Generated by OpenCVE AI on March 24, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*
cpe:2.3:a:discourse:discourse:2026.3.0:*:*:*:latest:*:*:*

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Discourse
Discourse discourse
Vendors & Products Discourse
Discourse discourse

Thu, 19 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, moderators were able to see the first 40 characters of post edits in PMs and private categories. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No known workarounds are available.
Title Discourse has Improper Authorization in "Post Edits" Report For Moderators
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 2.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Discourse Discourse
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:08:36.220Z

Reserved: 2026-03-19T17:02:34.171Z

Link: CVE-2026-33408

cve-icon Vulnrichment

Updated: 2026-03-20T20:08:32.901Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T23:16:44.887

Modified: 2026-03-24T20:55:00.930

Link: CVE-2026-33408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:24Z

Weaknesses